BYOD: Why managing devices is not enough

By Andreas Baumhof

Apr 26, 2013

As part of the Digital Government Strategy, agencies are embracing mobile computing and developing policies to address the emerging bring-your-own-device trend.

Developing BYOD policies is beneficial because they will help agencies reduce costs and increase productivity. But federal agencies have particular challenges when it comes to implementing BYOD: They handle data that must be protected for reasons of national security or taxpayer privacy, and they are the targets of a determined subset of attackers.

The defense industrial base and the intelligence community are obvious objectives, but any federal agency has escalated risk.

Cybersecurity incidents at federal agencies have increased 680 percent in the past six years, according to the Government Accountability Office -- and those are just the incidents we know about. That number is expected to increase as more personal mobile devices connect to agency networks and applications.

Given that malware and stolen identities are primary avenues of attack, here are some steps that agencies can take to ensure that their BYOD policies are as effective as possible.

1. Understand the malware risk. It is increasingly difficult to avoid malware. Users can unwittingly pick up drive-by downloads through common activities such as clicking on shortened URLs in Twitter, doing an image search or even clicking on an infected ad in a trusted site.

Furthermore, personal systems typically lack the malware defenses of managed systems. The risk of acquiring malware increases for devices, such as iPads, that are shared among family members. And because smart phones are on the rise, attackers are writing more malware for mobile apps.

2. Be aware of the identity problem. Often, the purpose of a malware program is to gain log-in credentials. That means agencies have to worry about malware on any device that employees or contractors use because their credentials are at risk of being compromised.

Common Access Card authentication is not enough to protect systems from stolen identities and malware. For instance, Man-in-the-browser Trojan horses on a legitimate user's device can hijack an authenticated session using CAC cards. In addition, attackers are targeting the certificate authorities, such as EMC’s RSA, to effectively gain the keys to the kingdom.

3. Focus on applications. The BYOD discussion typically focuses on managing devices. But the larger threat for agencies is to their applications and data because inconspicuous malware on personal devices -- mobile and otherwise -- can let attackers gain access to federal systems.

There are steps that every agency can and should take immediately to address the growing risk to sensitive applications and data. As always in the security field, a layered defense is the best strategy.

* Help protect your employees against malware. If possible, give your employees malware protection for home computers and personal laptop PCs that they use to access government applications.

* Analyze incoming connections for malware. Use real-time technologies to examine incoming connections to sensitive systems for signs of malware manipulating the session. This will alert you to potential attacks or other malware that could compromise a session.

* Add device identification. By adding device identification technologies to sensitive applications (including email), you can find devices that do not match a legitimate user -- for example, those that hide their true location or are known to be infected with malware.

For even better coverage, make sure those defenses can share information with one another and with a global network of known threats and malicious systems.

The Census Bureau hasn't established a time frame for its cloud computing plans, including testing for scalability, security, and privacy protection, as well as determining a budget for cloud services.

Reader comments

Tue, May 28, 2013
Masvetti
DC

Lets see what everyone thinks of VA's BYOD. With all of the issues facing the VA with IG investigations of corruption, Baker sneaking out in the middle of the night, Bob Howard's sexual relationship with his underling, employees unaccountability and I assume missing, SES and GS14's and 15's padding resumes to get these high paying jobs and not knowing a thing about IT and lets not forget how most of these leaders go into thse positions in the first place. My cousin was the CIO, Albinson so I should be the Deputy CIO too. So BYOD, do you really think these managers have a clue on how to ge that working.. I would say no. They are too busying trying to figure out why a GS15 who should of past FACPPM training years ago can't do it now. Better yet, why that same GS15 is really good long term friends with a SES and why that GS15 has been a program manager and the COR of a $50mil contract when she has never been certified as a COR. Welcome to OIT and the continued 250 reorgs since 2004. Same crappy managers retiring with huge salaries at GS15 step 10 and they no nothing of IT.

Mon, Apr 29, 2013

I think this article is focusing on the wrong risks or at least being very myopic. Sure, malware is an issue but that's not unique to BYOD. Any company-issued device (whether it's iOS or Blackberry, etc.) can be infected with malware somehow. Data leakage, co-mingling of sensitive company data and personal data, and not having control of your data is the real problem. Not to mention how BYOD enables employees to steal or mishandle information for any variety of reasons including disgruntlement, maliciousness, or to corporate espionage which cannot be tracked if the information would already be permitted on the device.

Mon, Apr 29, 2013

"Developing BYOD policies is beneficial because they will help agencies reduce costs and increase productivity." Ah the myth that the govt can spend less money while increasing productivity. As long as they take the steps outlined, they can mitigate the risks. Of course these steps will cost a lot of money in labor and hardware/software. Run that part by me again that said we can reduce costs whil increasing productivity.....right, as long as we spend a lot to do it......lol!!

Mon, Apr 29, 2013
Beltway Billy

The Govt has good user authenication - CAC & PIV... but horrible when it comes to authenicating device (e.g. TPM for laptops; soft certs for all devices, many possible characteristics for all devices) and autheniticating apps / software. Unfortunately, there's not a great deal of COTS available in this area.

Mon, Apr 29, 2013
Beltway Billy

Your article mis-directs..... Malware is big problem on Android & Windows, less on MacOS, Linux and Blackberry, but absent on IOS. There is no anti-virus on iOS because the model simply doesn't allow it.

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.